Detectionhightest
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Tim Rauch, François HubautCreated Tue Sep 20Updated Fri Dec 02c1337eb8-921a-4b59-855b-4ba188ddcc42windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script
Detection Logic
Detection Logic3 selectors
detection:
selection_get:
ScriptBlockText|contains:
- 'Get-WmiObject'
- 'gwmi'
- 'Get-CimInstance'
- 'gcim'
selection_shadowcopy:
ScriptBlockText|contains: 'Win32_ShadowCopy'
selection_delete:
ScriptBlockText|contains:
- '.Delete()'
- 'Remove-WmiObject'
- 'rwmi'
- 'Remove-CimInstance'
- 'rcim'
condition: all of selection*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Techniques
Related Rules
Derived
Rule not founde17121b4-ef2a-4418-8a59-12fb1631fa9e
SimilarDetectionhigh
Deletion of Volume Shadow Copies via WMI with PowerShell
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Detects similar activity. Both rules may fire on overlapping events.
Rule Metadata
Rule ID
c1337eb8-921a-4b59-855b-4ba188ddcc42
Status
test
Level
high
Type
Detection
Created
Tue Sep 20
Modified
Fri Dec 02
Author
Path
rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml
Raw Tags
attack.impactattack.t1490